On 03/11/2016 09:25 AM, Petr Vobornik wrote:
On 03/10/2016 07:22 PM, Simo Sorce wrote:
On Thu, 2016-03-10 at 19:20 +0100, Pavel Vomacka wrote:

On 03/10/2016 07:02 PM, Simo Sorce wrote:
On Thu, 2016-03-10 at 18:47 +0100, Pavel Vomacka wrote:
Hi,

These two options allow preventing clickjacking attacks. They don't
allow open FreeIPA in frame, iframe or object element.
Will these apply to the whole server or just to /ipa ?

Yes, you are right, these apply to whole server. In this new patch they
are applied only on /ipa.

--
Pavel^3 Vomacka

Thanks,
LGTM

Simo.


VERSION in a header needs to incremented so that the config file is correctly processed during upgrade.

VERSION incremented.

--
Pavel^3 Vomacka
>From 22768ac624f62ade5fded0780903d04a915b6487 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvoma...@redhat.com>
Date: Thu, 10 Mar 2016 18:32:50 +0100
Subject: [PATCH] Add X-Frame-Options and frame-ancestors options

These two options allow preventing clickjacking attacks. They don't allow
open FreeIPA in frame, iframe or object element.

https://fedorahosted.org/freeipa/ticket/4631
---
 install/conf/ipa.conf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 8d4fea35e9c5aa15a611d90fe005090abb1d8e50..cf10fc815640bcfc56152d342ee70d7d363ba4e5 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 19 - DO NOT REMOVE THIS LINE
+# VERSION 20 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -71,6 +71,8 @@ WSGIScriptReloading Off
   ErrorDocument 401 /ipa/errors/unauthorized.html
   WSGIProcessGroup ipa
   WSGIApplicationGroup ipa
+  Header always append X-Frame-Options DENY
+  Header always append Content-Security-Policy "frame-ancestors 'none'"
 </Location>
 
 # Turn off Apache authentication for sessions
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to